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Abstract 

We show that, for any language in NP, there is an entanglement- resistant constant-bit 
two-prover interactive proof system with a constant completeness vs. soundness gap. The 
5^ ■ previously proposed classical two-prover constant-bit interactive proof systems are known 

I not to be entanglement-resistant. This is currently the strongest expressive power of any 

known constant-bit answer multi-prover interactive proof system that achieves a constant 
gap. Our result is based on an "oracularizing" property of certain private information 
retrieval systems, which may be of independent interest. 
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^ ■ 1 Introduction 

Properties of interactive proof systems have been shown to change in fundamental ways when 
. the underlying setting changes from classical information to quantum information. The first 

I result along these lines was discovered by Watrous [13], and several subsequent results have 

occurred. 

In the present paper, we are concerned with multiprover interactive proof systems (MIPs), 
first proposed (in the classical setting) by Ben-Or et al. \2\. An example of such a system, 
^ \ for 3SAT, is where the first prover is sent a clause of the formula and the second prover is 

■ sent a variable from the clause. The first prover must give a partial truth assignment that 

satisfies the clause and the second prover must give an assignment to the variable that is 
consistent with the first prover 's (this protocol occurs in several places in the literature, e.g., 
[8]). Classically, the completeness probability of this system is 1, whereas the soundness 
probability is at most 1 — g^^, where m is the number of clauses. Roughly speaking, the role 
of the second prover is to "oracularize" the first prover: to make it respond to queries as 
an oracle would; if the first prover behaves adaptively to queries, this introduces a positive 
probability that the results between the two provers are not consistent. In the quantum 
setting, if the provers are allowed to share a priori entanglement they can cheat the protocol 
in the sense that there are unsatisfiable 3CNF formulas where the soundness probability of the 
protocol is 1 (hence the gap is zero) [3] . Thus this particular oracularization technique fails in 
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the setting of quantum information (other examples are also given in [3]). Note that, in the 
above, quantum information enters the picture by the entanglement between the provers; the 
verifier and its communication with the provers remains classical. Interesting results have also 
been obtained for multiprover interactive proof systems where the communication between 
the verifier and provers is quantum. 

A major question is how the expressive power of two-prover interactive proof systems 
changes when the provers possess entanglement. Without entanglement, this is known to 
be NEXP [H [7]. Since entanglement can potentially increase both the completeness and 
soundness probability, it is not even clear whether the expressive power is a subset or superset 
of NEXP. In [3j (based on results in [8]), it is shown that a restricted class of MIPs (called ©- 
MIPs or XOR-MIPs) has the property that, classically, their expressive power equals NEXP; 
whereas, with entangled provers, its expressive power reduces to a subset of EXP (see |15) for 
a refinement of this result). Thus, for ©-MIPs, entanglement strictly reduces their expressive 
power (unless EXP = NEXP). An ©-MIP has the simple form where the verifier makes one 
polynomial-length query to each prover, and each prover returns a single bit answer to the 
verifier. The verifier's acceptance condition is a function of the XOR of the two answer bits 
and the questions. 

Our main result is the introduction of a new technique for oracularizing provers, based 
on properties of certain private information retrieval systems (PIRs). A PIR is a system 
that enables information to be obtained from a database without revealing to the database 
server (s) what the information is that is being queried. The framework is two (or more) 
isolated servers who each have a copy of the database, but who cannot communicate with 
each other. Instead of asking an individual server for the information (which would reveal the 
query), each server is asked for information and the responses are combined to produce the 
answer. There are ways of doing this such that no individual server acquires any information 
about the actual query being made. 

Intuitively, this seems like a natural approach to oracularizing provers in a MIP: if the 
servers have no idea of that is being queried in the first place, how can they make their an- 
swers adaptive? Although this sounds intuitively compelling, the non-adaptiveness property 
is operationally different from the PIR property. This distinction is reminiscent of the dis- 
tinction between malleable cryptography and non-malleable cryptography [4|. For example, a 
cryptosystem may be secure in the sense that it is not possible to deduce x from an encryption 
of X, nevertheless it may be possible from this encryption to construct an encryption of y that 
is somehow related to x. 

We show that certain PIRs are in fact non- adaptive in the sense that, not only do they 
reveal no information about the items queried to the servers, but they satisfy the additional 
property that the servers cannot conspire to make their answers satisfy a property that non- 
trivially depends on the queries made. Remarkably, this property is robust even against 
quantum servers who have the resource of a priori entanglement. 

Based on this, we show that ©-MIP has expressive power at least that of NP for entangled 
provers. This is the strongest expressive power of any known constant-bit answer MIP that 
achieves a constant gap. 

Related work is [3 HO], where other novel techniques are introduced. In this work, the 
complexity classes are supersets of NP; however, the gaps between completeness and sound- 
ness probability are smaller and the communication from the provers is larger. Hence these 
results are incomparable with ours. 
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2 Some notation 



We use the following notation in this paper. For s,t £ {0, l}™", let s • i G {0, 1} denote the 
inner product modulo 2 of s and t, and s (B t £ {0, 1}*" denote the bitwise exclusive-or of s 
and t. For j E {1, 2, . . . , m}, let ej G {0, 1}™" denote the characteristic vector of {j}, which is 
1 in component j and in all other components. 

3 Our main result 

Our main result is as follows. 

Theorem 3.1 For all e > 0, for any language L in NP, there exists a two-prover protocol V 
with entangled provers of the following form. Let x G {0, 1}" (n large enough depending on 
e) be the input received by the provers Alice and Bob and the Verifier V . 

1. V generates messages s and t, each of length polynomial in n, and a private bit 6; {s, t, 6) 
chosen from a certain polynomial time samplable joint distribution. V then sends s, t 
to Alice and Bob respectively. 

2. Alice and Bob respond with bits a and b respectively. 

3. V accepts x if and only if a®b = fx{s(Bt, 6), where fx is computable in time polynomial 
in n. 

The protocol satisfies the following soundness/completeness properties: 

Completeness: If x £ L then there exists a strategy for provers Alice and Bob such that V 
accepts with probability > 1 — e. 

Soundness: If x ^ L then, for all strategies of provers Alice and Bob, V accepts with prob- 
ability < ^ + e. 

The above theorem immediately implies NP C ©-MIP*[2,1], where ©-MIP*[2,1] represents 
that class of languages acceptable by two entangled prover proof systems with a single round 
of interaction and in which verifier only uses the xor of the bits answered by the provers to 
decide. 

4 The PCP system 

Let L £ NP and e > 0. From [8], there exists a probabilistically checkable proof (PCP) 
system for L of the following form. There is a proof verification procedure Vpcp that, for 
any n-bit string x (n large enough depending on e), takes an m-bit string w as input (where 
m G n^^^^) and accepts or rejects w as a certificate of a; G L based on the parity of three 
bits of w as follows. Vpcp probabilistically generates distinct i,j,k G {1,2, ... ,m} and 

5 G {0, 1}, from a certain polynomial time (in n) samplable joint distribution, and accepts if 
and only if Wi © Wj (Bwk = fxih j, k, 6), where fx is a polynomially computable function. The 
completeness/soundness properties of the proof system are as follows. 

Completeness: For all x G L, there exists a witness string w G {0, 1}"^ such that VpcP 
accepts with probability at least 1 — e. 

Soundness: For all x ^ L, for all w G {0, 1}™, Vpcp accepts with probability at most ^ +£• 
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5 Our protocol via the PIR reduction 

Using the PCP procedure Vpcp we obtain our protocol V as follows. On receiving input x, 
V interacts with provers Alice and Bob as follows. 

1. V simulates ^pcp in the generation of k £ {1,2, ... , m} and 5 £ {0, 1}. 

2. V chooses s £ {0,1}™", uniformly distributed and independently of i,j,k,6, and set 

t = 5 O 62 © O Gf^. 

3. V sends s to Alice and t to Bob, receiving one-bit answers a and b from them respectively. 

4. V accepts if and only if a © 6 = fxihj, k, 6). 

5.1 Completeness 

If X £ L then we know from the PCP procedure that there exists a PCP-witness w £ {0, 1}™. 
Consider the strategy in which Alice, on input s outputs a = w ■ s, and Bob, on input t, 
outputs b = w ■ t. Now, 

a© 6 = w{sBt) 

= w ■ {ci® Cj © e/c) 
= Wi(B Wj © Wk ■ 

Therefore V accepts whenever Vpcp accepts the PCP string w, and hence the probability of 
acceptance of V is at least 1 — e. 

5.2 Soundness 

The proof of soundness employs a result about certain XOR games that are similar to those 
analyzed by Linden et al. |13j . Lets define a transversal XOR game as an interactive protocol 
between a verifier and two entangled provers, Alice and Bob, that is specified by a function 
g : {0, 1}™ X {0, 1}' {0, 1} and a distribution vr on {0, 1}™ x {0, 1}'. The operation of the 
game is as follows. 

1. The verifier generates {z,r) £ {0,1}'" x {0,1}' according to distribution vr. Then the 
verifier produces two shares of z, s and t, by generating s £ {0, 1}" uniformly and 
independently of z and setting t = s (B z. The verifier sends s to Alice and t to Bob. 

2. Alice and Bob produce bits a and 6, respectively, and send them to the verifier. 

3. The verifier accepts if and only if a © 6 = g{s © t, r). 

The following is a slight generalization of a result in [13] and its proof appears in the 
Appendix El 

Theorem 5.1 Let G be a transversal XOR game specified by g : {0, 1}"^ x {0, 1}' ^ {0, 1} 
and the distribution vr. Then the optimal strategy that maximizes Pr[a © 6 = g(s © t, r)] does 
not use any entanglement and is of the following form. For some u £ {0, 1}"* and 7 £ {0, 1} 
(that depend on g and vr ), Alice responds with a = (u • s) © 7 and Bob responds with b = u-t. 
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Now in our protocol "P, the verifier on receiving x could be thought of as playing a 
transversal XOR game with the provers Alice and Bob by letting r = 6 and 

g : {0,1}"" X {0,1} {0,1} be such that g{ei ® ej ® ek,6) = f^{i,j,k,6). 

Let X ^ L. Now from Theorem 15.11 the optimal strategy for the provers in which they are 
trying to maximize the acceptance probability of the verifier V would be as follows. Alice 
and Bob ignore the entanglement and for some u £ {0, 1}™" and 7 G {0, 1}, Alice outputs 
a = (u • s) © 7 and Bob outputs a = u ■ t. 

Now it can be easily shown that Fic[V accepts x] = Pr[a © 6 = g{x,s © t)] < 1/2 + e. 

Consider the following PCP witness w. For all j G {1, 2, . . . , m}, set Wj = uj © 7. Note that 
this witness satisfies 

Wi © Wj ®Wk = Ui ® Uj ® Uk ® ^ 

= u • (ci © Cj © Cfc) © 7 
= M-(s©t)©7 
= a © 6. 

Combining this with the fact that fxihj, k, 6) = g{s © t, 5) enables us to conclude that 
Pr[a © 6 = g{x, s © i)] = Pr^ © wj ewk = fx{i,j, k, 6)] < ^ + e. 

The last inequality comes from the soundness property of the PCP procedure l^cp- Thus 
Pr[y accepts x\ in the protocol V is at most \ + £ and hence the soundness property is 
satisfied. 
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A Proof of Theorem 15.11 

Our proof follows very much in the lines of the proof of Linden et al. [^. Let Alice and Bob 
share a pure quantum state between them. Let Z,Rhe a pair of random variables jointly 
distributed according to it. Let 5, T G {0, !}"■ represent the random variables correspoding 
to the questions of verifier V to Alice and Bob respectively. Let A, B represent the random 
variables correspoding to the answers by Alice and Bob respectiely. Note that in our case 
Z = S®T and S is uniformly distributed and is independent of {Z,R). It is well know that 
Vv[g{z, r) = A(BB \ {S, Z, R) = {s, z, r)] can be expressed as follows, 

Fr[giz,r) = A(BB \ {S,Z,R) = {s,z,r)] = 1(1 + (-l)9(-'-)(</,|^ B^^.m 

, where As,Bsqz are Hermitian operators with eigenvalues in {—1, 1}, (which are also some- 
times referred to as observables). Therefore we have, 

Pr[y accepts] = ^ Pr[(S, Z, R) = (s, z, r)] Pi[g{z, r) = A®B \ {S, Z, R) = (s, z, r)] 

s,z,r 

= Y,FT[iS,Z,R) = {s,z,r)].^{l + {-iy(^'^\^\A,^Bs^M) 

s,z,r 
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s,z,r 

s,z r 

Now let, 

0,^^Pr[(i?,Z) = (r,z)].^(-l)^(^''-) 

r 

Note that as defined above |a),|/3) are unit vectors. Also $ is Hermitian. Therefore from 
above we have, 

1 1 

Pr[F accepts] = - + ^ — 0^(</>|A, S,ez|</>) 

s,z 

= l + (a|(I®$)|/3) 

< ^ + IIHI|2||(/®$)||oo|||/3)||2 

Above ||$||oo represents the highest singular value of $ and since $ is Hermitian it means 
the highest modulus eigenvalue. 

Now we show below that the eignevectors of $ are precisely the Hadamard vectors l^x) = 
E^e{o,i}"(-l)"1^') (for u e {0, 1}") with eigenvalues A„ = Ez(-l)"'^^z- Consider, 

s,z i;G{0,1}" 
s,z 

2 S 

= K\u) 

Next we show that there exists a classical strategy by Alice and Bob such that Pr[V accepts] = 
I + Halloo- Let \w) be the eigenvector of $ corresponding to the highest modulus eigenvalue. 
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Let 7 = if > and 1 otherwise. Now let Alice answer with {w ■ s)©7 to question s and 
let Bob answer with {w ■ t) to question t. Then we see that, 

Pr[V accepts] = ^ Pr[{S, Z, R) = (s, z, r)] Pi[g{z, r) = {w s)®'y®{w ■ {s®z))] 

s,z,r 

= J2 ^' ^) = ^' ^)] r) = iw z)®j] 

s,z,r 

= Y.^v[{S,Z,R) = {s,z,r)]{\ + 

s,z,r 

= 1 + 11 Pr[(5,Z,i?) = {s,z,r)] ■ \ ■ (-i)5(-,0+(--)+7 

s,z,r 

= 1 + 1 Pr[(^, R) = {z, r)].\. (_i)^;(-.0+(--)+7 

z,r 

z r 
z 

= l + \u = l + m\oo 
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